Is your VPN actually secure?
With everyone working from home, a large amount of internet traffic right now consists of VPN traffic. VPN is not a silver bullet, if done incorrectly it can be just as vulnerable as leaving your front door unlocked.
What is VPN? You may have heard tunnels, AutoVPN, or other similar technology as well
A virtual private network extends the connectivity from an office, cloud, or other network to another location. That location can be another office, a device (such as your laptop) or even to connect another cloud. There are some technologies that are labeled as VPN, and while technically incorrect, to you they are functionally the same. The key takeaway is the VPN lets you connect back to company resources, ideally in a secure manner.
Don’t skip Multifactor Authentication (MFA)
If you are not using MFA already, you need to ask why. It has become the most affordable security technology to deploy due to its combination of low cost (Cisco’s Duo starts at $3/user/month) and high impact (read my favorite article here about how it can stop 100% of automated attacks). We’re such big believers that we include it as part of all our managed IT plans.
Out of date software/hardware
One of the biggest issues is out of date software and hardware. That means you can be at risk if you are connecting to server software that has not been updated in years, or you are connecting to an old firewall. VPN is constantly under attack, and vulnerabilities are constantly being patched. Just this week, Sophos (one of the biggest firewall/VPN vendors) had a flaw exposed that allowed hackers to gather usernames and passwords from their firewalls. They quickly issued an update that IT staff need to apply.
In the majority of clients that CGP starts working with, we find firewalls that either the manufacturer no longer supports, or are extremely out of date. You would not skip installing updates on your server operating system, so why is that happening on your firewalls?
Incorrectly configured VPN
Like many other parts of IT, VPN should be setup for the least amount of access possible. If users leverage VPN to connect to their desktops at the office, VPN should only have that port open, and only be allowed to talk to the desktops, not the servers. With today’s security issues, you have to work under the assumption that all devices will get compromised at some point, so avoid exposing anymore of your network than necessary.
VPN is really starting to worry me at this point, am I using the right technology?
Probably. VPN is usually one of the most secure ways to connect, but only if setup correctly. However, if you don’t want to risk your security, an expert is just a call away.